Common Web Application Vulnerabilities Know Your Enemy

Speakers Jason Chrin Infrastructure Security Jonathan Bailer Code Vulnerability Lawrence Wolfe The Human Factor

The State of the Internet January – Target: 70 million contact records stolen – Michaels: 2.6 million credit cards stolen May – eBay: 223 million customer accounts stolen June – Evernote: DDoS September – Home Depot: 56 million credit cards stolen – Google: 5 million accounts compromised – Apple: iCloud hacking

Motivations Behind Attacks Soucre: Hackmageddon.com

SERVER & INFRASTRUCTURE SECURITY Know Your Enemy

Attack Surface The sum of all paths for data/commands into and out of the application The code that protects these paths All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and Personally Identifiable Information The code that protects this data

Limiting your Attack Surface Warner Bros. Pictures 2006

Limiting your Attack Surface Build and maintain a secure network Data Security Policies Encryption and secure transmission

Attack Type 1: Port Scanning Attacker attempts to connect to various ports on your networks Tries to determine what is open on the network and can be used as an entry vector

Firewall – external access The front door to your application Only open access that is needed Only allow ingress from known locations

Firewall – internal access DMZ Network Segmentation Application firewalls

Attack Type 2: Eavesdropping Source: owasp.org

Data Security Types of sensitive data 1.Regulated Financial Information Healthcare Information 2.Unregulated Proprietary Information Confidential Information

How to Handle Your Data Securely store data – use encryption Only store what data is needed Limit Access to data Encrypted transmission - SSL

Attack Type 3: Password Attacks Brute force attacks Info gained from Eavesdropping Default credential attempts

Secure Access Remote access over secure channels – VPN – SSL connections Authentication – Unique credentials for each user – Strong password policy – Multi Factor Authentication

What is MFA? Possession Factor – something user has Knowledge Factor – something user knows Inherence Factor – something the user is

Logging Access Logging for system connections Application level Logging Log monitoring software

Attack type 4: Application Layer Attack Targets application servers looking for OS or application faults Bypass normal access controls Gains Elevated privileges

Patch Management OS Updates Application Updates AV / Malware Definitions

Active Scanning Anti-Virus – Protects against malicious code Malware – Annoyance programs that may offer back door to attacks Intrusion Detection – Automated monitoring for suspicious activity Penetration Testing

Attack Type 5: Man in the Middle Source: 4kcc.com

Preventing Man in the Middle Use strong encryption for communication Segregate production networks

Be Diligent This is just a start New exploits found daily Review your logs and procedures External auditing

CODE VULNERABILITY Know Your Enemy

What does code vulnerability mean? Flaw or oversight in an application allowing unauthorized or unintended use

Types of code vulnerabilities Injection Cross-site scripting (XSS) Cross-site request forgery (CSRF) Information leakage

Injection - What is it? Processing of invalid data changing the course of execution – Arbitrary modification of data – Installation of malware – Privilege escalation – HTML/Script injection

Injection – How does it work?

Injection - Example

Injection – Types SQL Injection HTML Script Injection Dynamic Evaluation Vulnerability Object injection (serialization) Remote File Injection Shell Injection

Injection – Prevention Whitelist input

Injection – Prevention Whitelist input Sanitize input

Injection – Prevention Whitelist input Sanitize input Parameterization

Cross-site Scripting – What is it? Injecting client-side script into Web pages viewed by other users

Cross-site Scripting – Example

Cross-site Scripting – Types Non-Persistent – Query string, post data, etc. (e.g. search results) Persistent – Database or file changes (e.g. comments) DOM-based – Runs entirely in the client

Cross-site Scripting - Prevention Sanitize user input and output that is based on user created content Top-down testing and analysis of client side scripts

Cross-site Request Forgery – What is it? Causing a user’s browser to perform an unwanted action on a trusted site for which the user is authenticated. A form of the confused deputy problem.

Cross-site Request Forgery – Example

Cross-site Request Forgery – Prevention Synchronizer token pattern Cookie-to-header Token

Information Leakage – What is it? Application unintentionally revealing sensitive information – System/environment configuration – User information – etc.

Information Leakage – What is it? Comments visible in response data Overly detailed error information Difference in behavior

Information Leakage – Example

Information Leakage – Example

Information Leakage - Prevention Parse errors before display Remove debugging information from production Always be aware of what your application’s behavior reveals

THE HUMAN FACTOR Know Your Enemy

The Human Factor: Code Review Source: SmartBear

The Human Factor: Code Review Source: SmartBear

The Human Factor: Code Review What if?

The Human Factor: Code Review What if… …one of those bugs is a security vulnerability that exposes customer data?

The Human Factor: Code Review What if… …one of those bugs is a security vulnerability that exposes customer data? Labor + Damages = $$$ Millions? Billions?

The Human Factor: Code Review Self audit through annotation & peer review – Less defects, better performing code – Reduces chance of vulnerable code making it to production – Go from as strong as your weakest link to as good as the best on your team – Reduce technical debt – Continuous education Tools – SmartBear Collaborator, Atlassian Crucible

The Human Factor: Source Control

Source Control – Beyond version management and feature development – Enables code collaboration and vulnerability prevention – Merge workflow, feature/module branches – Git - BitBucket, Github + Console, SourceTree, VS Automated Builds – Continuous Integration – Code Standards, Static Analysis – Reduces potential for introducing insecure configurations – Empowers team and individual accountability – Tools Jenkins, Team Foundation Server, Travis CI (cloud)

The Human Factor: Sensitive Data

Obfuscated, Masked and Mock Data – Limit developer access to production data when possible ex. employee, customer and financial data – Development data sources should not contain real data – Use mock data for test driven development – Tools SQL: redgate SQL Data Generator ruby: Faker::HipsterIpsum

The Human Factor: Modular Dev

For large projects and teams, isolate risks with modular development Architect for modular development. ex. SOA, libraries, packages, gems Developer only needs access to build specific components

The Human Factor: Social Hacking

Phishing – Common behaviors Spear Phishing – Specific target Impersonation - “Service Desk”

Thank You! Q&A